Mateusz Kwapich <mitrandir@fb.com> [Tue, 22 Mar 2016 17:05:11 -0700] rev 28659
convert: add new, non-clowny interface for shelling out to git (SEC)
CVE-2016-3069 (1/5)
To avoid shell injection and for the sake of simplicity let's use the
common.commandline for calling git.
Mateusz Kwapich <mitrandir@fb.com> [Sun, 20 Mar 2016 21:52:21 -0700] rev 28658
subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC)
CVE-2016-3068 (1/1)
Git's git-remote-ext remote helper provides an ext:: URL scheme that
allows running arbitrary shell commands. This feature allows
implementing simple git smart transports with a single shell shell
command. However, git submodules could clone arbitrary URLs specified
in the .gitmodules file. This was reported as CVE-2015-7545 and fixed
in git v2.6.1.
However, if a user directly clones a malicious ext URL, the git client
will still run arbitrary shell commands.
Mercurial is similarly effected. Mercurial allows specifying git
repositories as subrepositories. Git ext:: URLs can be specified as
Mercurial subrepositories allowing arbitrary shell commands to be run
on `hg clone ...`.
The Mercurial community would like to thank Blake Burkhart for
reporting this issue. The description of the issue is copied from
Blake's report.
This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env
variable to git commands with the same list of allowed protocols that
git submodule is using.
When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it
to git without modifications.
Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:30:26 -0700] rev 28657
parsers: detect short records (SEC)
CVE-2016-3630 (2/2)
This addresses part of a vulnerability in binary delta application.
Matt Mackall <mpm@selenic.com> [Wed, 16 Mar 2016 17:29:29 -0700] rev 28656
parsers: fix list sizing rounding error (SEC)
CVE-2016-3630 (1/2)
This addresses part of a vulnerability in application of binary
deltas.
Matt Mackall <mpm@selenic.com> [Mon, 28 Mar 2016 17:16:00 -0500] rev 28655
merge with stable
liscju <piotr.listkiewicz@gmail.com> [Mon, 28 Mar 2016 09:12:03 +0200] rev 28654
debugsetparents: remove redundant invocations of begin/endparentchange
Method localrepo.setparents invokes begin/endparentchange internally,
so there is no need to invoke it explicitly in debugsetparents.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 13:13:19 -0700] rev 28653
sslutil: add docstring to wrapsocket()
Security should not be opaque.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 11:39:39 -0700] rev 28652
sslutil: remove indentation in wrapsocket declaration
It is no longer needed because we have a single code path.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:18:32 -0700] rev 28651
sslutil: always use SSLContext
Now that we have a fake SSLContext instance, we can unify the code
paths for wrapping sockets to always use the SSLContext APIs.
Because this is security code, I've retained the try..except to
make the diff easier to read. It will be removed in the next patch.
I took the liberty of updating the inline docs about supported
protocols and how the constants work because this stuff is important
and needs to be explicitly documented.
Gregory Szorc <gregory.szorc@gmail.com> [Sun, 27 Mar 2016 14:08:52 -0700] rev 28650
sslutil: move _canloaddefaultcerts logic
We now have a newer block accessing SSLContext. Let's move this
code to make subsequent refactorings of the former block easier.